This post provides a list of great resources that can be used to create a Security Incident and External Breach Notification Plan. The materials were developed by government agencies like the NIST, DOJ, private companies like Experian and Microsoft, associations like the American Bar Association and leading security consultants.
What Goes into a Good Plan?
Gives a good overview of how to “Establish and implement a written data breach response policy”
Really good info!
More info on what should be included in a good plan.
Good RACI chart for assigning responsibilities – Other useful info too
Good questions to answer before and after a breach: See pages 10, 16, 21, 26. Also, this fellow Lenny Zelster appears to be a very knowledgeable consultant. I don't know him personally but he might be a good consulting resource.
What Kind of Questions Should You Ask or Will You be Asked?
Questions that need to be addressed. Sample questions others may ask for which you’ll need to be prepared.
Appendix A contains incident response scenarios and questions for use in incident response tabletop discussions
Appendix E identifies resources that may be useful in planning and performing incident response.
Appendix F covers frequently asked questions about incident response.
Ok. It Happened!
Overview from Experian including info on HIPAA.
Some good info from Microsoft
And a word from the lawyers... :)
Don't Forget Those Pesky State Regulations
For instance:
States In Which Definition for “Personal Information” is Broader Than the General Definition
States That Require Notification Within a Specific Time Frame
Best Practices, Cheat Sheets & Templates – Oh my!
Recent Guidance from DOJ
In Word & Excel formats
Good steps – see page 10-14
That's All Folks!
So there you have it. The above is pretty much all you'll need to assemble a good security incident response plan. There’s no need to develop a plan all on your own. As someone once said: “Good artists borrow, great artists steal.”
For other information on healthcare and information technology, consider following me on Twitter.